请问有什么好的理由身份验证Cookie和会话状态的cookie是两个独立的饼干? [英] Is there any good reason why the authentication cookie and the session state cookie are two separate cookies?
问题描述
有没有什么好的理由ASP.NET的会话状态的cookie和窗体身份验证cookie是两个独立的饼干?如果我想给他们绑到对方?是否有可能在一个优雅的方式?
Is there any good reason why ASP.NET's session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to "tie" them to each other? Is it possible in an elegant way?
现在,我坚持以下解决方案,它的工作原理,但仍是丑陋的:
Right now, I am stuck with the following solution, which works, but is still ugly:
[Authorize]
public ActionResult SomeAction(SomeModel model)
{
// The following four lines must be included in *every* controller action
// that requires the user to be authenticated, defeating the purpose of
// having the Authorize attribute.
if (SomeStaticClass.WasSessionStateLost/*?*/) {
FormsAuthentication.SignOut();
return RedirectToAction("Login", "Account");
}
// ...
}
@ RPM1984:这是会发生什么:
[HttpPost]
public ActionResult Login(LoginModel loginModel)
{
if (/* user ok */)
{
// ...
Session["UserID"] = loginModel.UserID;
Session["Password"] = loginModel.Password;
// ...
}
else
{
return View();
}
}
和它不会花费太多猜测知道 WasSessionStateLost
一样。
And it doesn't take much guessing to know what WasSessionStateLost
does.
推荐答案
我将开始与解决方法,然后解释后跟一个建议。
I'll start with a solution, then an explanation followed by a recommendation.
创建自定义授权属性:
由于您的应用程序定义授权
如下:
Since your application defines Authorized
as follows:
- 已登录
- 必须在
值会话[用户名]
和会话[密码]
- Logged in
- Must have values in
Session["UserID"]
andSession["Password"]
您需要定义自己的AuthorizationAttribute
you need to define your own AuthorizationAttribute
public class AuthorizedWithSessionAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if(httpContext.Request.IsAuthenticated &&
Session["UserID"] != null && Session["Password"] != null)
return true;
// sign them out so they can log back in with the Password
if(httpContext.Request.IsAuthenticated)
FormsAuthentication.SignOut();
return false;
}
}
替换所有的 [授权]
属性与 [AuthorizedWithSession]
键,你不应该需要把会话检查code在控制器。
Replace all your [Authorize]
attributes with [AuthorizedWithSession]
and you shouldn't need to put session check code in your controllers.
我不知道有足够的了解你的应用程序,但在节省会议(甚至以纯文本格式更坏)的密码是不是做一个安全的事情。
I don't know enough about your application, but saving passwords in session (even worse in plain text) is not a secure thing to do.
此外, RPM1984
表示,会话cookie和身份验证cookie是分开的。
In addition, as RPM1984
said, the session cookie and authentication cookie are separate.
说明:
想与您的姓名的会话信息一桶(服务器端)的。 ASP.NET可以放东西在桶。 ASP.NET为您提供了一个名字,你的会话ID,并把它放在桶里,因此可以知道哪一个是你的了。
Think of the session as a bucket of info (on the server side) with your name on it. ASP.NET can take and put stuff in that bucket. ASP.NET gives you a name, your session id, and puts it on the bucket so it can know which one is yours.
身份验证cookie告诉你验证,并在其中存储您的验证名称ASP.NET。认证名称通常是由应用程序的开发者设定,通常是一个唯一的密钥(认为在DB主键),以从其他用户分开。
The authentication cookie tells ASP.NET that you're authenticated and stores your authentication name in it. The authentication name is usually set by the developer of the application and is usually a unique key (think primary key in a DB) to separate you from the other users.
建议更加安全的:
加密你对他们店前的密码。这并不是绝对安全,但它以纯文本形式存储节拍和口令当然,如果有人获得加密密钥的时候,就可以破解密码。
Encrypt the passwords before your store them. This is not total security, but it beats storing passwords in plain text and of course, if someone were to get a hold of the encryption key, they can crack the passwords.
这篇关于请问有什么好的理由身份验证Cookie和会话状态的cookie是两个独立的饼干?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!